detrarurto2
Cadet
- Joined
- Nov 7, 2021
- Messages
- 2
I have my router send all incoming traffic on port 80 and 443 to an nginx jail running on my TrueNAS CORE device.
This was easy, via port forwarding.
I'm using nginx because I want to have different hostnames go to different jails.
site1.mydomain.com -> nginx sends that through to 10.0.0.31
site2.mydomain.com -> nginx sends that through to 10.0.0.32
etc.
That was easy, using proxy_pass.
But when I start adding SSL and certs, I get confused and not sure of the best idea.
It seems better to me to have all my certs and nginx cert config in the one master nginx jail.
This makes renewing certs (let's encrypt) easier as there is just one place that certs get renewed. (Instead of each jail needing to look after its own cert)
Should I have my main nginx jail set the cert + private key for a hostname, then proxy_pass to the correct jail?
Or, is it better to make my main nginx have nothing to do with ssl at all, only proxy_pass, and have the nginx instance in the target jails set the certs?
Not sure of all of the pros/cons.
The reason I ask:
I installed the official nextcloud plugin, was working fine on the jail's internal ip.
I tried to make this available via a hostname + apply certs, proxy_pass from my nginx jail to nextcloud -- I only had issues. I could not get it to work that way. I believe this was because the nextcloud plugin had its own self certs it was using in its own nginx config, so my certs when I proxy_pass to it were breaking things(?)
I was successful with other sites, so I think the nextcloud plugin just isn't for all use cases, and will install it myself manually.
Any advice is appreciated, thank you!
P.S. Maybe a somewhat related question, what are the pros and cons of having ONE mariadb instance in a jail, that is shared amongst all jails that need a db, vs, each jail having its own mariadb instance?
Multiple instances = more overall system resources needed, more security, more setup time
One instance = individual jails can killed easily and remade without worrying about backing up database
Anything else?
This was easy, via port forwarding.
I'm using nginx because I want to have different hostnames go to different jails.
site1.mydomain.com -> nginx sends that through to 10.0.0.31
site2.mydomain.com -> nginx sends that through to 10.0.0.32
etc.
That was easy, using proxy_pass.
But when I start adding SSL and certs, I get confused and not sure of the best idea.
It seems better to me to have all my certs and nginx cert config in the one master nginx jail.
This makes renewing certs (let's encrypt) easier as there is just one place that certs get renewed. (Instead of each jail needing to look after its own cert)
Should I have my main nginx jail set the cert + private key for a hostname, then proxy_pass to the correct jail?
Or, is it better to make my main nginx have nothing to do with ssl at all, only proxy_pass, and have the nginx instance in the target jails set the certs?
Not sure of all of the pros/cons.
The reason I ask:
I installed the official nextcloud plugin, was working fine on the jail's internal ip.
I tried to make this available via a hostname + apply certs, proxy_pass from my nginx jail to nextcloud -- I only had issues. I could not get it to work that way. I believe this was because the nextcloud plugin had its own self certs it was using in its own nginx config, so my certs when I proxy_pass to it were breaking things(?)
I was successful with other sites, so I think the nextcloud plugin just isn't for all use cases, and will install it myself manually.
Any advice is appreciated, thank you!
P.S. Maybe a somewhat related question, what are the pros and cons of having ONE mariadb instance in a jail, that is shared amongst all jails that need a db, vs, each jail having its own mariadb instance?
Multiple instances = more overall system resources needed, more security, more setup time
One instance = individual jails can killed easily and remade without worrying about backing up database
Anything else?